Add spec

Oh, and a transaction block. Because the controller after hooks tried to update the DB which resulted in
  PG::InFailedSqlTransaction: ERROR:  current transaction is aborted, commands ignored until end of transaction block

Even for a small rescue statement, it's worth adding a spec. You never know what might not be working!

app/controllers/omniauth_callbacks_controller.rb

@@ -2,7 +2,9 @@
 
 class OmniauthCallbacksController < Devise::OmniauthCallbacksController
   def openid_connect
-    OidcAccount.link(spree_current_user, request.env["omniauth.auth"])
+    ActiveRecord::Base.transaction do
+      OidcAccount.link(spree_current_user, request.env["omniauth.auth"])
+    end
 
     redirect_to admin_oidc_settings_path
   rescue ActiveRecord::RecordNotUnique

spec/requests/omniauth_callbacks_controller_spec.rb

@@ -35,6 +35,20 @@ RSpec.describe '/user/spree_user/auth/openid_connect/callback', type: :request d
       expect(account.uid).to eq "ofn@example.com"
       expect(response.status).to eq(302)
     end
+
+    context 'when OIDC account already linked with a different user' do
+      before do
+        other_user = create(:user, email: "ofn@elsewhere.com")
+        OidcAccount.create! user_id: other_user.id, uid: "ofn@example.com"
+      end
+
+      it 'fails with error message' do
+        expect { request! }.not_to change { OidcAccount.count }
+
+        expect(response.status).to eq(302)
+        expect(flash[:error]).to match "ofn@example.com is already associated with another account"
+      end
+    end
   end
 
   context 'when the omniauth openid_connect is mocked with an error' do
@@ -46,6 +60,7 @@ RSpec.describe '/user/spree_user/auth/openid_connect/callback', type: :request d
       expect { request! }.not_to change { OidcAccount.count }
 
       expect(response.status).to eq(302)
+      expect(flash[:error]).to match "Could not sign in"
     end
   end
 end